Atom
Identity and authorization in one deployable service.
Open-source authentication, RBAC, ABAC, and runtime authorization in a single Rust binary backed by PostgreSQL.
Built for modern identity and access control.
Authentication, authorization, identity management, and policy enforcement — one service.
Humans, devices, services, workloads, and applications share one identity model. No special user class.
Every policy decision is evaluated live. Token changes and revocations take effect on the next request — no restarts.
JWT sessions, API keys, and OIDC social login (Google, GitHub). All flows produce a standard Atom JWT with zero-downtime key rotation.
Tenant isolation across entities, resources, and policies. Each tenant gets a bootstrapped admin role with full lifecycle enforcement.
Ask why a request was allowed or denied. The explain endpoint returns a full decision trace — matched policies, skipped bindings, ABAC steps.
Apache 2.0. GraphQL, REST, and gRPC APIs. Single Rust binary, PostgreSQL auto-migrated on startup. No vendor lock-in.
Two modules. One binary.
Identity and Authorization run in the same process, backed by a single PostgreSQL database. No sidecars, no external services.
Deploy. Model. Enforce.
Run Atom
Clone the repo and start the stack with Docker Compose. Atom migrates the database and seeds the admin account automatically.
Model your system
Create tenants, entity kinds, and resource definitions through the Admin UI or API. Profiles let you describe your platform's vocabulary.
Enforce access
Call the authorization endpoint from your services. The policy engine evaluates live state and returns ALLOW or DENY instantly.
One policy primitive. RBAC and ABAC unified.
Both role-based and attribute-based access control are expressed through a single PolicyBinding — no separate systems to manage.
PolicyBinding {
subject: group("operators")
grant: capability("publish")
scope: tenant("factory-a")
effect: allow
conditions: {
"resource.env": "production"
}
} No permissions embedded in tokens. Every decision is evaluated online.
Built for operators.
Manage every object in the system from one interface. No SQL console, no curl scripts.
Live platform summary — entity counts, recent activity, authorization outcomes, and expiring credentials at a glance.
Create, update, and manage humans, devices, services, workloads, and applications with credentials and group membership.
Create and inspect RBAC and ABAC bindings. Set explicit deny rules and view all bindings for any subject or resource.
Define roles and assign capabilities. Role membership is evaluated live — no token reissuance when roles change.
Run explain queries interactively. See matched policies, skipped bindings, and ABAC evaluation steps without writing any code.
Every significant event — login, logout, credential creation, authorization checks — logged immutably and exportable to CSV.
Built-in Playground with full schema introspection. Explore the API, run queries, and test policies interactively.
GraphQL-native. Runtime-ready.
One endpoint for management. A dedicated gRPC channel for high-throughput runtime checks.
All management at a single endpoint — full schema introspection and a built-in Playground.
Define REST routes in the Admin UI backed by GraphQL operations. No code deployment needed.
High-throughput authorization checks over gRPC — used by Magistrala and microservice backends.
Explore the schema, run queries, and debug policies directly from the Admin UI.
Up and running in minutes.
git clone https://github.com/absmach/atom.git cd atom docker compose up -d
# Open in your browser: # http://localhost:3005 # # Log in as the super admin # using the credentials you # set in ADMIN_SECRET
Where Atom fits.
Multi-Tenant SaaS
Tenant-scoped identities and runtime policy enforcement with full lifecycle isolation.
IoT Platforms
Devices and gateways as first-class identities with credentials and fine-grained runtime policy coverage.
Microservices
Centralized runtime authorization across services. One HTTP or gRPC call per check, policy changes propagate instantly.
Security Operations
Access explainability through the API. Answer 'why denied?' and 'who can access this?' without touching the database.
Edge Systems
Single-binary deployment alongside edge infrastructure. Minimal footprint with full policy enforcement.
One binary.
Self-contained and operational immediately after deployment. No infrastructure assembly required.
Common questions.
How is Atom different from Keycloak?
Keycloak embeds permissions in tokens — policy changes require token reissuance. Atom evaluates every authorization decision live through the PDP. It also ships as a single binary backed by one PostgreSQL database, with no JGroups, no Infinispan, and no XML configuration.
Does Atom support RBAC and ABAC?
Yes. Both are expressed through the same PolicyBinding primitive. RBAC uses role grants with no conditions. ABAC attaches dot-path conditions evaluated against entity or resource attributes. You can combine both in a single binding.
Does Atom support OIDC?
Yes. Atom supports OIDC social login with Google, GitHub, and any standards-compliant provider. The OIDC flow produces a standard Atom JWT — same as password login. Atom also exposes a JWKS endpoint for zero-downtime key rotation.
Can Atom run in Kubernetes?
Yes. Atom is a single stateless binary that reads config from environment variables. Deploy it as a Kubernetes Deployment with a PostgreSQL service. Migrations run on startup — no init container or migration job needed.
Are permissions embedded in JWTs?
No. Atom JWTs carry only the entity ID and session ID. Authorization is evaluated live on every request. A policy change or session revocation takes effect immediately — no token reissuance or cache invalidation needed.
Is Atom open source?
Yes. Atom is licensed under Apache 2.0. The source is at github.com/absmach/atom. All APIs — GraphQL, REST, and gRPC — are fully open with no commercial restrictions.
Deploy Atom today.
Identity, authentication, and authorization from one deployable service. Apache 2.0. Single binary. Deploy alongside PostgreSQL on a VM, in Docker Compose, or on Kubernetes.